A no-fly zone for terrorism

By taking pilots out of the loop, can software prevent planes from being used as bombs?

Shares

December 14, 2001 1:30AM (UTC)

For a computer scientist trapped in coach on a San Francisco-to-New York flight, few of the standard anti-terrorism precautions now being discussed -- reinforced cockpit doors, the racial profiling of passengers, scanning checked luggage on domestic flights for bombs and even arming pilots with stun guns -- are likely to calm post-Sept. 11 jitters.

To a true geek, the best defense against planes being transformed into suicide bombs is a software solution. Let computers keep us safe. The attacks on the World Trade Center and the Pentagon have already inspired one University of California at Berkeley professor, Edward A. Lee, to create a proposal for "virtual no-fly zones" he calls "soft walls." The soft wall plan would make it impossible to fly a plane into a skyscraper or military installation, simply by altering some of the code that already exists on newer commercial aircraft.

Advertisement:

"The control system on the aircraft will enforce the regulations," says Lee, who is collaborating with Boeing on his system, which will take years to fully implement. In his design, a 3D model of the earth's atmosphere is combined with information about the earth's surface and specific regulatory constraints on flight space. Global positioning systems provide real-time data. The plane, regardless of what the pilot wants to do, is forbidden from going where it isn't supposed to go.

It's hard to imagine a more appealing prospect for a technologist: Let's let the machines save us from ourselves. Pilots, on the other hand, glower at the very idea.

"As an airline pilot, my response to the idea of using protective software to keep aircraft from flying into restricted airspace is to shake my head and roll my eyes. Sure, it's technically feasible, but that doesn't mean it's a good -- or at all practical -- idea," says P. Smith, a pilot for a large commercial airline who asked that his real name not be used.

Phaedra Hise, a private pilot and author of the forthcoming book "Pilot Error: The Anatomy of an Airplane Crash," explains: "A pilot just basically freaks out about someone else controlling his or her plane. When it's your life on the line, you don't want to be subject to an electronic system that might malfunction."

The conflict hinges on an old conundrum: What's really safer, a fallible human or a fallible machine? After Sept. 11, the question has taken on a new urgency -- although this time it isn't human error that is the problem, but human malfeasance. Can a computer be relied upon to override the human system, when a malicious human takes control?

While software programmers inevitably look for a solution constructed out of ones and zeros, it's just as fundamental to a pilot's mentality to resist giving up more control of the machine to another machine. But are pilots swimming against the tide? Technology incorporated into newer commercial airliners has already eroded pilot autonomy. After Sept. 11, could it be that depending on human decision-making to keep planes aloft is actually more frightening than depending on software?

Advertisement:

Here's how Lee's plan would work: In newer planes, the so-called "fly-by-wire" system mediates between the pilot's commands to the plane and the hardware that actually controls the aircraft. A layer of software already exists between any particular physical actions by the pilot and movements of the plane.

"The changes in the controls are processed by a computer before they are used to change what the aircraft does," says Lee.

Using GPS in conjunction with an airplane's own mechanical gyroscope system, the "soft walls" scheme would introduce resistance if the plane went, for example, too near a nuclear power plant or lower Manhattan or the Golden Gate Bridge or any other area pre-designated as a no-fly zone. From the pilot's perspective, says Lee, it would be like flying into a swirling turbulence.

"It would feel to the pilot as if the nose of the plane was being pushed over," says Lee. If the pilot continued to try to fight the bias of the plane against the resistance, eventually the system would simply not allow the plane to go that direction.

Advertisement:

"The key advantage is that the pilot maintains authority to the maximum extent that is consistent with not entering the restricted area," Lee says. He defends his scheme by arguing that it would take considerably less control away from the pilot than some of the more drastic proposals that have come out of Sept. 11 -- such as instituting remote control of airplanes from the ground.

The idea of taking control away from the pilot -- by any means necessary -- has risen in profile since Sept. 11. One of its most vocal proponents is Peter Huber, a fellow at the Manhattan Institute think tank, who boasted in an Oct. 15 article in Forbes, titled "Disable the Pilots," that he started calling for the pilot's role to be minimized as early as 10 years ago. Quoting himself, he wrote: "The biggest improvements in [aircraft] safety will often require cutting humans out of the decisional loop all together." For Huber, a system like Lee's is a step in the right direction.

Even President Bush has taken up the cause -- in a speech on Sept. 27 at Chicago's O'Hare Airport he promised that the government would look into "technology to enable [air traffic] controllers to take over distressed aircraft and land it by remote control." The war in Afghanistan has also presented a dramatic example of such technology -- the Air Force's Predator drones are operated via satellite from thousands of miles away, and have been conducting surveillance and bombing rides on targets in Afghanistan.

Advertisement:

But the remote control plan for commercial aircraft has been widely rejected by aviation experts, largely due, they say, to the considerable technical challenge of conveying all the information about the plane's status to the ground and the commands back to the plane, in real time. According to Lee, there's an inevitable and significant time lag between the plane and the ground. It's also a solution that creates its own new vulnerabilities: What if the hijacking conspirators are on the ground? Or, what if malicious crackers hack into the communication stream between the ground and the plane?

By comparison, Lee's proposal seems like a more moderate compromise. A pilot who is on course wouldn't even notice the system is in place. Lee also points out that the proposal avoids the air-to-ground-to-air conundrum since it is entirely self-contained on board the flight. But there would be no way to disable the soft walls system on board, since that would defeat the purpose, says Lee.

"The surest way to make the system effective is to prohibit override in any form," declares Lee's white paper. "Manual override on the aircraft is certainly out of the question. Override from the ground is perhaps doable, but the security of the communications becomes a problem, and the human authorization of the override creates a vulnerability."

Advertisement:

"In this scheme, there is no on/off switch. It doesn't work if there is an off switch" says Lee.

The no override policy may sound extreme, and is certainly likely to rankle pilots, but supporters of lessened pilot autonomy note that the current fly-by-wire systems already rein in the will of the pilot. As Huber notes, if a pilot tries to stall a plane by yanking on the yoke, the fly-by-wire system will simply override this command. And Airbus planes, pioneers of fly-by-wire, will not allow the pilots to maneuver aircraft beyond certain aerodynamic limits.

But pilots see a significant difference between keeping a plane from stalling and controlling where it will go. "I can live with an airplane that keeps its pilots from stalling or exceeding aerodynamic limitations, but not one that takes navigation into its own hands," says Smith.

Designating unbendable no-fly zones also presents its own set of problems. When the pilot can no longer choose in a split second where to attempt a landing in an emergency, who does? If it's absolutely impossible to fly into a no-fly zone, who gets to decide what neighborhoods are considered eligible for no-fly status?

Advertisement:

"The argument is that there is no emergency serious enough to try to justify landing on Fifth Avenue. You would really rather lose the aircraft and everyone aboard than have that happen," says Lee. But what about a less traveled route? It might still have some traffic, but would that be enough to make it a no-fly zone, or would it be OK for a faltering flight to try to land there in an emergency?

Will local communities, afflicted with NIMBYism, start lobbying to have their Main Streets included in these zones? Don't try to crash land your jet in my backyard! Successful implementation of the plan could result in a bizarre form of reverse redlining -- banks might not be willing to lend to poor neighborhoods, but it's fine for planes to crash into them. "The location and geometry of the no-fly zones is partly a political, military, and ethical question," writes Lee in his proposal.

As the professor is the first to admit, there are also some complications created by the virtual walls themselves. For instance, imagine there's an engine fire at the same time a plane encounters a no-fly zone. To avoid the no-fly zone, the software system might force more fuel into the engine at precisely the moment when a pilot would never give the engine more fuel, feeding the fire.

There's also the problem of putting the plane at the mercy of a system that depends in part on GPS. "A knowledgeable person could board an aircraft with an appropriately configured radio that would render the GPS system useless," says Lee. Spoof the GPS system, and you could bring down the soft walls. Although the plane's mechanical gyroscope acts a backup, the challenge is: "how to design a system so that there are enough levels of backup so that if the GPS system is jammed the software system itself does not disable the aircraft."

Advertisement:

Ed Badolato, a counter-terrorism security consultant based in Washington, doubts the feasibility of such a scheme. He compared it to a fenceless system to keep a dog in a yard, except in this case the airplane is wearing the collar that delivers the deterring shock. "We have 35,000 flights a day in the United States. It's not going to be a small task. It seems to me that it would be impractical from an operational, economic and security point of view."

As with all aviation software, much of the expense of such a system would be in testing it. "Technologically, it will have to be very, very seriously tested," says Badolato. It would be less costly in newer aircraft already equipped with fly-by-wire, but the expense in trying to retrofit older planes is harder to measure. And it's the Federal Aviation Administration's rigorous screening process for new software on planes that would likely be the biggest cost: "The principal expense in this kind of system is not in the cost of the hardware and the software, it's certification of the software," says Lee.

Given the magnitude of the disaster that occurred on Sept. 11, however, cost may not be the primary consideration. As Lee says: "A 777 with fully loaded fuel tanks is probably the most dangerous weapon that civilians are ever entrusted with. It's just that nobody ever saw it as a weapon before."